Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Security professionals have always contended that the weakest link in any security system isn’t the hardware or software—it’s nearly always a human or humans who interact with it.

A new study from information security vendor Code42, released July 24, bears witness to this once again, only this time the research reveals a rather disturbing trend: That a majority of CEOs and other business leaders, whose responsibility it is to oversee the protection of their enterprise’s most valuable assets, engage in exactly the type of risky behavior that jeopardizes their businesses' intellectual property.

Such are the foibles of humanity--only this particular type of foible can be extraordinarily devastating to a business enterprise if allowed to continue with impunity.

Despite the expense and effort of setting up security perimeters, CISOs and CEOs are planning for data breaches—stockpiling cryptocurrency and paying the ransom when they happen.

While companies know that prevention-only strategies don’t work anymore, most haven’t yet evolved to meet the new challenge.

IP Theft Widespread?

What were the most surprising aspects of this survey for Code42, outside of how widespread this IP theft practice is?

“I don’t think anybody in this industry should be particularly surprised about how widespread IP theft is by departing employees, but it is startling that Code42’s data security research uncovered that so many CEOs would admit to taking information,” Code42 Chief Information Security Officer Jadee Hanson told eWEEK. “I think the reason they walk away with their company’s IP and likely will continue to do so is that people feel entitled to their own work, so they probably don’t consider it stealing.

“And maybe they don’t even realize they’re stealing it because they aren’t knowledgeable enough about IP policies and regulations. If that’s the case, then I’d consider that to be alarming, too – if anybody, executives need to know the rules backwards and forwards.”

A couple of other findings in particular struck Hanson as surprising.

“It’s staggering that so many executives are stockpiling cryptocurrency to pay ransom,” Hanson said. “Our study showed that many executives have already paid a ransom, which is a very dangerous practice. For one thing, it enables and emboldens cybercriminals. From my standpoint, it shows how important it is for organizations to enhance their security plans beyond just prevention. A robust security program needs to include prevention and detection with a large focus on visibility across the environment.”

Nearly Two-Thirds of Respondents Breached in last 18 Months

As a CISO, Hanson said he found it startling that 61 percent of the respondents have been breached in the last 18 months.

“I expected the proportion of impacted companies to be high, but I did not expect that over half of the research respondents would have been impacted in that short timeframe,” Hanson said. “Securing your company’s information is not an easy job; it's important that focus be applied to not only prevention, but detection and full visibility as well. Being in security means that bad things will happen. When they do, you want to make sure you are positioned with the right visibility and recovery tools and services to bounce back.”

So what can infosec execs do about this? They are definitely caught in the middle.

“Infosec execs need to be proactively aware of what's going on in the industry and within their own organization,” Hanson said. “They need to be serious about educating their employees and turning them into data advocates.”

Code42’s data security study showed that three-quarters of CISOs believe they can enhance their security strategies by combining prevention and recovery together, so there’s definitely an awareness that strategies need to change. Four best practices that all CISOs should be doing every day, according to Hanson, include:

Take a proactive stance on data security beginning as soon as you hire employees by outlining their security responsibilities to your company. If employees are terminated because they didn’t meet their data security responsibilities, create an anonymous case study to use as part of your ongoing employee education training.

When an employee has submitted his/her resignation, reply by thanking them for their service, conducting an exit interview where you acknowledge that they’re trusted, remind them about adhering to company policy–and have them sign a document that summarizes IP law and their obligations to safeguard your corporate IP.

In terms of technology, have the type of solution in place that gives you visibility to data movement throughout the network in real time by identifying all types of files that are moved from a device, who is moving them, and when and where they’re being moved.

Follow up on all alerts in a timely manner. Communicate what you saw with the employee. It really doesn’t matter if it was a non-malicious or an actual malicious act. At that point, you’re just protecting your IP.

About the Data Exposure Report

The security, IT and business leader portions of the research for this report were conducted by Sapio Research, an independent research consultancy based in the United Kingdom. The survey was completed, via online response, during February 2018.

The research surveyed 1,034 security and IT leaders, including CSOs, CTOs, CISOs and CIOs, as well as 600 business leaders, all with budgetary decision-making power. All respondents came from companies with at least 250 employees. A total of 61 percent of the business leaders and 58 percent of the security and IT leader represent companies with more than 1,000 employees.

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 13 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.